incubator-flex-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bertrand Delacretaz <bdelacre...@apache.org>
Subject Re: Signed RSL from Apache
Date Mon, 20 Feb 2012 17:26:30 GMT
Hi Omar,

On Mon, Feb 20, 2012 at 8:56 AM, Omar Gonzalez
<omarg.developer@gmail.com> wrote:
> ...RSL stands for runtime shared library. Portions of the Flex SDK are
> compiled into .SWZ files that are(were) signed by Adobe. This would yield
> two benefits, 1.) security and 2.) Flash Player RSL caching at a global
> level (all domains), meaning all sites using a specific version of the Flex
> SDK can be cached only once by a user. Because Adobe will no longer sign
> Apache Flex RSLs we lose #2. Having Apache host RSLs would help us to
> resolve #1 as Adobe will no longer host our RSLs...

Thanks for the explanation, so IIUC RSLs are binary files that are
signed and hosted on http servers. Apache does have a mirroring
structure (see http://www.apache.org/mirrors/ for example), so hosting
is not a problem.

Files released by Apache projects are usually signed using detached
PGP signatures, see http://www.apache.org/dev/release-signing - a
release manager signs the files, and the release is backed by a PMC
vote, making it an act of the foundation.

In the case of RSLs I assume signatures are checked by the client,
what are the requirements for that?

-Bertrand

Mime
View raw message